An Experimental Study of TLS Forward Secrecy Deployments
Authors: L.S. Huang, S. Adhikarla, D. Boneh, and C. Jackson
Abstract:
Forward secrecy guarantees that eavesdroppers simply cannot reveal
secret data of past communications. While many TLS servers have
deployed the ephemeral Diffie-Hellman (DHE) key exchange to support
forward secrecy, most sites use weak DH parameters resulting in a
false sense of security. In our study, we surveyed a total of 473,802
TLS servers and found that 82.9% of the DHE-enabled servers were
using weak DH parameters. Furthermore, given current parameter and
algorithm choices, we show that the traditional performance argument
against forward secrecy is no longer true. We compared the server
throughput of various TLS setups, and measured real-world client-side
latencies using an ad network. Our results indicate that forward
secrecy is no harder, and can even be faster using elliptic curve
cryptography (ECC), than no forward secrecy. We suggest that sites
should migrate to ECC-based forward secrecy for both security and
performance reasons.
Reference:
In proceedings of W2SP 2014
IEEE Internet Computing 18(6): 43-51 (2014)
Full paper: pdf